Logstash过滤器正则表达式进入字段 [英] Logstash filter Regex into Field

问题描述

我在解析日志行时遇到一些问题.

I am facing some issues with parsing a logline.

我有大量的日志行，每个日志行都包含一个主机名，例如ABC123DF 我已经写了一个正则表达式，我想将其应用到日志行，并将主机名放在"victim"字段中，如下所示:

I Have thousends of loglines and every logline contains a hostname like ABC123DF I Have writen a regex and I want to apply it to the logline and put the hostname in the field "victim" Like this:

add_field => [ "victim", "/[a-z][a-z][a-z][0-9][0-9][0-9].."

我使用了Mutate过滤器，但结果是

I have used the Mutate filter but the result is

受害者/[a-z] [a-z] [a-z] [0-9] [0-9] [0-9] ..

victim /[a-z][a-z][a-z][0-9][0-9][0-9]..

我想看看:

受害者ABC123DF

victim ABC123DF

我该怎么做?

推荐答案

我使用此网站， http://grokconstructor.appspot.com/do/match#result ，以测试我的正则表达式.

I user this site, http://grokconstructor.appspot.com/do/match#result, to test my regex.

在我的mongodb日志中，我有以下文字:

In my mongodb log, I have this text:

2016-05-17T16:26:07.018-0300我查询[conn50628097] getmore dataBaseName.collectionName查询:{empresa:"********"} cursorid:443889850763 ntoreturn:0键更新:0 writeConflicts:0 numYields:69 nreturned:8886 reslen:1184746 locks:{Global:{ acquisitionCount:{r:140}}，数据库:{acquisitionCount:{r:70}， acquisitionWaitCount:{r:66}，timeAcquiringMicros:{r:98046}}， 集合:{acquisitionCount:{r:70}}} 178ms

2016-05-17T16:26:07.018-0300 I QUERY [conn50628097] getmore dataBaseName.collectionName query: { empresa: "********" } cursorid:443889850763 ntoreturn:0 keyUpdates:0 writeConflicts:0 numYields:69 nreturned:8886 reslen:1184746 locks:{ Global: { acquireCount: { r: 140 } }, Database: { acquireCount: { r: 70 }, acquireWaitCount: { r: 66 }, timeAcquiringMicros: { r: 98046 } }, Collection: { acquireCount: { r: 70 } } } 178ms

要获取查询和时间，请在配置文件中创建此过滤器:

For get query and time, in config file, I make this filter:

    filter {
      if [source] == "/var/log/mongodb/mongod.log" {
        grok {
          match=> {
            "message" => [
              "(getmore|query)\s(?<mongo_database>[a-zA-Z_]+)\.(?<mongo_collection>[a-zA-Z_.]+)\s?query:\s(?<mongo_query>\{.*?\})\s(cursorid|planSummary).*?\s(?<mongo_totaltime>[0-9]+ms)"
            ]
          }
        }
      }
    }

使用:

    (?<you_new_field_name>you_regex)you_regex(?<you_new_field_name>you_regex)(?<you_new_field_name>you_regex)

在此之后，您可以进行以下操作:

after this, you can make:

    add_field => [ "tag_text_optional%{you_new_field_name}", "%{you_new_field_name}" ]

这篇关于Logstash过滤器正则表达式进入字段的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！